Token PIN generated by RSA for passcode generation or PIN provisioned by user

I had used RSA for secure ID token in our product that used to have flow like :

User enters first time with TokenCode -> RSA SHARES PIN for user and "Secure ID" is set --> User stores PIN and uses to generate Token every time to get passcode...

With recent RSA ver8.3 setup we found change in this initial PIN setup flow, and here User is prompted to set PIN instead of providing PIN to user. Current flow looks like this:

User enters first time with TokenCode -> RSA REQUESTS for PIN and upon confirmation of same PIN from user "Secure ID" is set --> User stores PIN and uses to generate Token every time to get passcode...

This change is impacting our existing interface software and we need more information regarding this change.

Can you please help us with following info:

1. Can we configure tokens / RSA to be like previous config where RSA provides PIN to user? If we can provision please share steps to do same.

2. When this change introduced and do we have to maintain same across all products / Lic. What are RSA Ver and RSA tool ver it should work with ?

We have RSA demo version for our development and test for Cisco leading optical transport product that supports RSA based authentication. Its field deployed config that we need to support with update across our platforms and RSA.

You should be able to configure the token policy for system generated PIN. You did not mention your prior AM version.

What was changed was older versions had an option to allow the end-user to select whether they would select a PIN or allow the system to generate a PIN on their behalf. This mode has been deprecated. The token policy is configured to either allow the user to assign the PIN or to have it generated by the system and provided to the user.

1. Can we configure tokens / RSA to be like previous config where RSA provides PIN to user? If we can provision please share steps to do same.

2. When this change introduced and do we have to maintain same across all products / Lic. What are RSA Ver and RSA tool ver it should work with ?

This was introduced starting with AM 7.x. All certified partner agents should handle the system generated (or user-specified) PIN protocol.

Some notes....

If you've altered or created different policies for different security domains, you'll need to make sure the policy associated with the user's Security Domain has the "Require System Generated PIN" setting.

When this policy setting is changed, users will be forced to get a new (system-generated) PIN next time they authenticate.

You should be able to configure the token policy for system generated PIN. You did not mention your prior AM version.

What was changed was older versions had an option to allow the end-user to select whether they would select a PIN or allow the system to generate a PIN on their behalf. This mode has been deprecated. The token policy is configured to either allow the user to assign the PIN or to have it generated by the system and provided to the user.

1. Can we configure tokens / RSA to be like previous config where RSA provides PIN to user? If we can provision please share steps to do same.

2. When this change introduced and do we have to maintain same across all products / Lic. What are RSA Ver and RSA tool ver it should work with ?

This was introduced starting with AM 7.x. All certified partner agents should handle the system generated (or user-specified) PIN protocol.

Some notes....

If you've altered or created different policies for different security domains, you'll need to make sure the policy associated with the user's Security Domain has the "Require System Generated PIN" setting.

When this policy setting is changed, users will be forced to get a new (system-generated) PIN next time they authenticate.

I am able to set non-default token policy under Authentication > Policies > Token Polices which restored old config in this newly installed RSA server.

What I missed here is token based selection for such change. I have other token users with different product might be using default policy but this change will impact all. Do we have ways to group such different set of policy users based on product ?

Its not relevant now but as you asked, I was using v8.0 RSA server years back for our test.